Security

All data is encrypted in transit using TLS/HTTPS. All stored data is encrypted at rest using AWS-managed encryption keys (AES-256). This applies to databases, backups, and any temporary storage.

Sign-in is handled by a managed authentication service with secure password hashing. Passwords are never stored in plaintext and are never accessible to our team. Access within the platform is controlled by a role-based permission system (R5 through R1) that restricts what actions each member can perform.

Internal access to infrastructure follows the principle of least privilege. Production systems are only accessible to authorised personnel.

Last Command is hosted on Amazon Web Services in the EU West (London) region. Our infrastructure is built on enterprise-grade managed services so we never run our own servers:

• Serverless compute — no persistent servers to compromise
• Fully managed database, encrypted at rest
• Request validation and rate limiting at the network edge
• Secure cloud hosting for the web application
• Continuous performance monitoring and tracing

All user input is validated and sanitised on both the client and server side using Zod schemas. We implement protections against common attack vectors including:

• Cross-site scripting (XSS) — user content is sanitised with DOMPurify
• Injection attacks — parameterised queries and strict input validation
• Rate limiting on sensitive endpoints (AI extraction, bulk operations)
• CSRF protection via SameSite cookie policies

Screenshots uploaded for AI-powered data extraction are processed entirely in memory in a short-lived serverless function. Images are sent directly to our AI provider for analysis and are never stored — not in databases, not in file storage, not in logs. Only the extracted structured data (player names and scores) is returned.

Our AI provider does not use your data for model training. Processing typically completes in under 30 seconds.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, process, or store your full card details. Payment information flows directly from your browser to Stripe's servers.

We monitor our systems for security incidents and respond promptly to any issues. In the event of a data breach that affects your personal data, we will notify affected users and the Information Commissioner's Office (ICO) in accordance with UK GDPR requirements (within 72 hours of becoming aware).

We regularly audit and update our dependencies to patch known vulnerabilities. Security advisories are monitored and critical patches are applied promptly.

If you discover a security vulnerability in Last Command, we encourage responsible disclosure. Please report it to us and we will work with you to understand and address the issue before any public disclosure.

We ask that you:

• Give us reasonable time to investigate and fix the issue before disclosing publicly
• Do not access or modify other users' data
• Do not perform actions that could degrade or disrupt the Service
• Act in good faith to avoid privacy violations and service disruption

For any security questions or concerns, contact us at:

For more information about how we handle your data, see our Privacy Policy and Cookie Policy.